I called customer service of a well known company and discovered that the operator had the ability to view my website password in clear text on her screen.

I asked her about this and she defended the policy saying it was for FCC (Federal Communications Commission in the USA) compliance.

I've never heard of this requirement, and would love to know if any industry is required to keep a clear text version of the password, or if the IT manager responsible for this is referenced in this popular SO question.

Is there any legitimacy to the representatives claim that a clear-text password is required by law?

Update 1:

I called the manager for more information. Their reasoning for knowing the cleartext password is related to "CPNI", or Customer Proprietary Network Information. I will need to research this topic more.

What industry does the "well known company" do business in? The context could help a bit here, though I'm still not familiar with any FCC regulations requiring passwords to be stored in the clear.
–
IsziAug 2 '11 at 16:01

I'd be interested to hear your explanation of "even that isn't truly the case". I thought all ham transmissions had to be in the clear?
–
IsziAug 2 '11 at 15:58

1

97.1 13(a)(4) prohibits "messages in codes or ciphers intended to obscure the meaning thereof." A password's meaning is not obscured by encrypting it. One can't operate a secured channel, but one can transmit coded information where the meaning is clear, such a challenge and response password exchange.
–
Jeff Ferland♦Aug 2 '11 at 17:26

I think the legality of that is highly debatable, but it's probably unlikely that the case will ever actually come up or that it would be brought to the FCC's notice if it did.
–
IsziAug 3 '11 at 13:15

@Iszi - Jeff is correct here, it is the equivalent of a transmission in the form A: "Authenticate Bravo X-Ray 3 1 2" / B: "Bravo X-Ray 3 1 2 I Authenticate Juliet Whiskey 7 4 9". You have no idea what the challenge/response mean without the authentication cypher's key, but it's clear it's a challenge/response to authenticate the communicating party. You cannot however have the remainder of the conversation in code - that must be in-the-clear.
–
voretaq7Aug 4 '11 at 19:04

The government later claimed that it is sufficient to provide other credentials allowing access to the account in question. (Sorry, I cannot find an English source for this right now, without spending more time on it).

It is common for internet service providers to store passwords in clear text as I explained in this answer for the technical reasons of supported old protocols.

I don't know. I confess my first guess would be baloney or misunderstanding of the law.

In my experience, it is not uncommon for companies with dumb policies to blame those policies on security or on the federal government. Sometimes folks are acting in good faith and are just confused about what the law actually or security actually requires. Sometimes it is a calculated excuse to make customers shut up and deflect complaints.

(You can even see this on airplanes, where airplane attendants will tell you to do all sorts of things in the name of security (e.g., "for security, only use the lavatory in your ticketed cabin"), when there is actually no government regulation or reasonable security justification requiring that.)

Of course, there could actually be some stupid regulation requiring this -- but I'm pretty skeptical.

I would try to get a citation to the specific law or regulation (not just "it has to do with CPNI"). You could also try asking for the name of the government agency that they claim issues those regulations, then call up that agency to ask them point-blank if that's something they require and ask them for a citation and a copy of the regulation. In my experience, if I'm able to look at the actual regulation, it's not unusual to find that it doesn't actually require what people think or say it does.

Actually in the U.S. "Federal Aviation Regulations require passenger compliance with the lighted passenger information signs, posted placards, areas designated for safety purposes as no smoking areas, and crewmember instructions with regard to these items." [Sec. 121.571] (rgl.faa.gov/Regulatory_and_Guidance_Library/rgFAR.nsf/0/…) If the crewmembers make the safety rules for your flight, its difficult to object.
–
this.joshAug 3 '11 at 1:37

1

@this.josh, no, that is not justification. That makes clear that crew members (or the carrier) could refrain from requiring passengers to abide by this restriction -- but they don't, because it suits their own interests better to impose this restriction. Their real reason has nothing to do with security (it has to do with protecting the revenue and quality of their first-class cabin), but they blame it on security to try to defuse criticism and deflect blame. That's cynical, but it's common. (To be clear, I support that particular rule, but I oppose lying about the justification.)
–
D.W.Aug 3 '11 at 6:39

(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and

(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier;

My guess is that your password is not printed on your bill, so that rules out part B.

I can't figure out how a password relates to a telecommunications service except to provide security for the information describing that service, so that seems linke no part A.

To expand on D.W.'s answer in a slightly different direction, it could be that it is a faulty interpretation designed to "cover all the bases" and/or the interpretation of a vague/misleading requirement that they feel will cover themselves as completely as they can.

I work in Healthcare, specifically the Education department for a moderately large health system, and I've seen some really stupid education "requirements" come across my desk for either or both of the above. Usually there is a much more reasonable interpretation that meets all the stated requirements of the regulation or certification, but some people just aren't satisfied if it isn't the most convoluted and/or absurd interpretation.